Craig Thomler's professional blog - eGovernment and Gov 2.0 thoughts and speculations from an Australian perspective

Craig Thomler

I've worked in the online sector since 1995 in roles including founder, publisher, journalist, webmaster, marketer, channel manager, CIO, COO and visionary. I left the public sector in early 2012 to lead Delib Australia as Managing Director Australia and New Zealand. More...

Tuesday, June 28, 2011

The EU Government's 2009 Directive banning "unnecessary" cookies in websites (if the site doesn't ask users to accept the cookie first) has just begun coming into effect - causing havoc and distress amongst European webmasters.

Cookies are small text files that websites store on a user's computer in order to reduce the need for users to enter information again and again. They are used in ecommerce sites to 'remember' what is in your shopping trolley, in social media sites to remember that you're logged in, to personalise content or advertisements based on your preferences and by many sites to provide anonymous website reports.

It is estimated that around 92% of websites use cookies. In fact it is hard to imagine the modern web without them.

However in 2009 the European Union decided as part of a 2009 amendment to their Privacy and Electronic Communications Directive that even though all modern web browsers allow users to choose to accept or refuse cookies, cookies may pose a privacy threat to individuals.

While the Directive doesn't explain why they may pose a threat, it states that cookies can be a useful tool and,

their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.

In other words, when cookies are used for a legitimate purpose (though 'legitimate' is not clearly defined in the Directive), they can be used by websites provided that users are provided with an up-front method to view what each cookie is for and 'opt-out' of each cookie.

This directive was to be interpreted into law by European states by May 2011. So far only three countries have complied, Denmark, Estonia and the United Kingdom. The UK has also given webmasters twelve months to introduce appropriate opt-out controls on their websites, recognising the impact of their law. Other countries in the EU will introduce their cookie laws soon.

So OK, European websites using cookies now must have an opt-out provision for UK, Denmark and Estonian users and soon for all Europeans in the EU.

So where is the sting in the tail?

Firstly, these laws may apply to all websites that are viewable in European countries, as existing European privacy laws already require. This would mean that Google, Facebook, Twitter and other social media sites hosted in the UK, Asia or anywhere else in the world would need to change how they functioned due to European-only laws.

Under this interpretation (yet to be tested in court), all (hundred million plus) websites, whether ecommerce, news, information or government would have to comply.

That includes Australian government websites using cookies, including any using Google Analytics, 'share' tools, shopping carts or otherwise using cookies to store (even non-identifiable) information on users - even for a single session.

There is an alternative. Non-European websites could simply block Europeans from viewing their sites and therefore would not need to comply with the European law. That would present a very interesting geographic freedom-of-information ban, as well as damaging the businesses of many organisations and governments who want Europeans to access their websites.

The second concern is around how the opt-in approach to cookies must work.

There's no clear approach in the Directive and plenty of confusion on how the opt-in control should work. The suggested approaches in the UK are to use pop-ups (which most modern browsers automatically block) or to use an 'accordion' that appears at the top of all webpages, as is used by the UK's Information Commissioner's Office (ICO) - the ugly block of text at the top of the website.

The BBC has introduced an opt-in approach that accidentally managed to break the law while implementing it - by using a cookie to hide the message asking you to opt-in for cookies. Oops - they needed to have an opt-in for that too.

The third issue with this European directive is the impact on useful things websites do. It will become much harder to personalise content for users or report on websites. Indeed the impact of people opting out of cookies, therefore rendering all cookie-based reporting significantly more inaccurate, is already being tracked. The ICO's website has itself seen a 90% fall in recorded (tracked) traffic. This indicates that the ICO will no longer know what site users are doing and cannot as effectively optimise and improve their website. Magnify this across millions of websites.

No comments:

Post a Comment

Legal DisclaimerThis is a personal blog. It is not officially endorsed by the Australian Government. The views expressed are those of the author or originators and do not necessarily reflect the views of the Australian Government or any other individuals or organisations.